API explorer: respect immutability, closes #1888

2022-11-13 22:01:56 -08:00 · 2022-11-13 22:01:56 -08:00 · 575a29c424
commit 575a29c424
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@ -281,8 +281,6 @@ class ApiExplorerView(BaseView):
        for name, db in self.ds.databases.items():
            if name == "_internal":
                continue
-            if not db.is_mutable:
-                continue
            database_visible, _ = await self.ds.check_visibility(
                request.actor,
                "view-database",
@ -301,6 +299,7 @@ class ApiExplorerView(BaseView):
                if not visible:
                    continue
                table_links = []
+                tables.append({"name": table, "links": table_links})
                table_links.append(
                    {
                        "label": "Get rows for {}".format(table),
@ -309,6 +308,10 @@ class ApiExplorerView(BaseView):
                        + "?_shape=objects".format(name, table),
                    }
                )
+                # If not mutable don't show any write APIs
+                if not db.is_mutable:
+                    continue
+
                if await self.ds.permission_allowed(
                    request.actor, "insert-row", (name, table)
                ):
@ -340,9 +343,11 @@ class ApiExplorerView(BaseView):
                            "method": "POST",
                        }
                    )
-                tables.append({"name": table, "links": table_links})
            database_links = []
-            if await self.ds.permission_allowed(request.actor, "create-table", name):
+            if (
+                await self.ds.permission_allowed(request.actor, "create-table", name)
+                and db.is_mutable
+            ):
                database_links.append(
                    {
                        "path": self.ds.urls.database(name) + "/-/create",